3AM Ransomware Targets Non-Profit Healthcare
Written by Karolis Liucveikis on
Kootenai Health, a not-for-profit healthcare provider in Idaho, operating the largest hospital in the region, offering a wide range of medical services, including emergency care, surgery, cancer treatment, cardiac care, and orthopedics, disclosed they had suffered a data breach.
Approximately over 464,000 patients after their personal information was stolen and leaked, with the 3AM Ransomware gang being the culprits.
In an official statement by Kootenai Health, the incident was summarized as follows,
On March 2, 2024, Kootenai Health became aware of unusual activity that disrupted access to certain IT systems. Upon discovering this activity, Kootenai Health took steps to secure its digital environment. Kootenai Health also engaged leading cybersecurity experts to assist with an investigation and to determine whether personal information may have been accessed or acquired without authorization. The investigation revealed that an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network on or around February 22, 2024. Kootenai Health then worked to conduct a comprehensive review of the impacted data to determine what personal and/or protected health information was involved and to verify the affected information and mailing addresses for impacted individuals to ensure Kootenai Health had the most up-to-date contact information. This process was completed on August 1, 2024.
Following the completion of the remediation process, completed on August 1, 2024, it was determined that the following patient information had been compromised:
- Full names
- Dates of birth
- Social Security numbers (SSNs)
- Driver's Licenses
- Government ID numbers
- Medical record numbers
- Medical treatment and condition information
- Medical diagnoses
- Health insurance information
The 3AM Ransomware gang claimed responsibility for the attack and leaked stolen data on its dark web portal, indicating that a ransom was not paid. The stolen data consists of a 22GB archive, available for free, allowing any other cybercriminal to download it and utilize it in further attacks.
Considering what patient data has been compromised, that free data is a treasure trove to fraudsters and cybercriminals.
Kootenai Health has advised those affected, or those who believe they are impacted by the data breach, to take the following measures:
- Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
- You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll-free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
- The Federal Trade Commission recommends steps to protect yourself from identity theft. The FTC's website offers helpful information at ftc.gov/idtheft.
- Additional information on what you can do to protect yourself better is included in your notification letter.
3AM Ransomware
In September 2023, reports of a new ransomware operation that had been detected began to emerge. Dubbed 3AM, the ransomware was detected when a threat actor failed to deploy a version of LockBit and deployed 3AM instead.
Security researchers at Symantec, who detected the attempted LockBit infection and saw 3AM was used instead, began investigations. A subsequent blog article detailing their discovery noted that 3AM had seen very little use up to that time.
It was also determined that 3AM had been written in the Rust programming language and that ransomware attempts to stop multiple services on the infected computer before it encrypts files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies, making data recovery a far more challenging task if the victim does not follow a comprehensive backup system.
In the attack, the threat actor executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec—a now common tactic amongst ransomware threat actors.
In January 2024, security researchers from several security firms found evidence linking 3AM to other infamous ransomware operations, including Conti and Royal. French cybersecurity firm Intrinsic noted several overlaps in tactics, techniques, and procedures used by 3AM with Conti and Royal.
The link between Royal, now rebranded as Blacksuit, and Conti stems from a gang of former members of Team 2 who operated under Conti's umbrella.
The link between 3AM ransomware and the Conti syndicate became stronger as Intrinsic progressed in their investigation of the group's tactics, infrastructure used in attacks, and communication channels.
In analyzing an IP address that Symantec listed as a network indicator of compromise, Intrinsic researchers discovered a PowerShell script for dropping Cobalt Strike, a shared tactic amongst those listed above.
Intrinsic also observed a SOCKS4 proxy on TCP port 8000 that is typically used for tunneling communication, with the signature associated with this Socks4 service displayed on two IP addresses showing such a proxy hallmark since mid-2022.
Lastly, a TLS certificate for an RDP service on a machine called "DESKTOP-TCRDU4C" was found to be associated with attacks from mid-2022. The attacks were linked to Royal and used the Iced ID malware dropper.
▼ Show Discussion